In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy notice to inform
you, our clients, of the types of data we process about you. We also include within this notice the reasons for
processing your data, the lawful basis that permits us to process it, how long we keep your data for and your
rights regarding your data.
This notice applies to current and former clients.
A) DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In
accordance with these principles, we will ensure that:
- a) processing is fair, lawful and transparent
- b) data is collected for specific, explicit, and legitimate purposes
- c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
- d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without
- e) data is not kept for longer than is necessary for its given purpose
- f) data is processed in a manner that ensures appropriate security of personal data including protection against
unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical
or organisation measures
- f) we comply with the relevant GDPR procedures for international transferring of personal data
B) TYPES OF DATA HELD
We keep several categories of personal data on our clients in order to carry out effective and efficient services.
We keep this data in a secure file relating to each client and we also hold the data within our computer systems,
for example, our encrypted drive.
Specifically, we hold the following types of data:
- a) personal details such as name, address, phone numbers
- b) occupation
- c) name and contact details of your next of kin
- d) financial information, such as credit card details used to pay us
- e) your gender, information of any disability you have or other medical information
- f) background referral details
C) COLLECTING YOUR DATA
You provide several pieces of data to us directly during the initial enquiry period and subsequently prior to and
upon the start of your therapy.
In some cases, we will collect data about you from third parties, such as GPs, schools, local authorities, the NHS
and other speech and language therapists when gathering background information about your diagnosis.
Personal data is kept in files or within the Company’s IT systems.
D) LAWFUL BASIS FOR PROCESSING
The law on data protection allows us to process your data for certain reasons only. In the main, we process your
data in order to comply with a legal requirement or in order to effectively manage the service contract we have
with you, including ensuring you are receiving the therapy you require.
The information below categorises the types of data processing we undertake and the lawful basis we rely on.
|Activity requiring your data||Lawful basis|
|To set you up as a client on our IT systems, and create a client file, may include carrying out fraud,
anti-money laundering and other regulatory checks
|Performance of the contract and substantial public interest|
|To provide you with speech and language therapy and related services||Performance of the contract and providing you with our services|
|Account settlement purposes||Performance of the contract and establish, exercise or defend our legal rights|
|For audit and research purposes||Performance of the contract and establish, exercise or defend our legal rights|
|Communication regarding a complaint||Performance of the contract and establish, exercise or defend our legal rights|
|Communicating with any other individual that you have asked us to update about your therapy or related
|Performance of the contract and our legitimate interests|
|Complying with our legal or regulatory obligations, and defending or exercising our legal rights||Performance of the contract and establish, exercise or defend our legal rights|
|Providing improvements to the quality of our service, including surveys, testimonials and feedback||Our legitimate interests|
|Managing our business operations such as maintaining accounting records, analysis of financial results,
internal audit requirements, receiving professional advice (tax and legal)
|Our legitimate interests|
|Provide marketing information to you, including information about our services and products in line with
the preferences you have consented
|Our legitimate interests|
E) SPECIAL CATEGORIES OF DATA
Special categories of data are data relating to your:
- a) health
- b) race
- c) ethnic origin
- d) details of the services you have received from us
We carry out processing activities using special category data:
- a) for the purposes of effectively monitoring our service
- b) to determine reasonable adjustments.
Most commonly, we will process special categories of data when the following applies:
- a) you have given explicit consent to the processing
- b) we must process the data in order to carry out our legal obligations
- c) we must process data for reasons of substantial public interest
- d) you have already made the data public.
F) FAILURE TO PROVIDE DATA
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract
of service with you. This could include being unable to offer you a course of therapy.
G) WHO WE SHARE YOUR DATA WITH
Employees within our company who have responsibility for client care, administration of payment and therapy will
have access to your data which is relevant to their function. All employees with such responsibility have been
trained in ensuring data is processing in line with GDPR.
Data is shared with third parties for the following reasons:
- Administration of payment
- Referrals that you have consented about
- To meet legal obligations upon us
- Regulatory requests
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to
comply with a legal obligation upon us. We have a data processing agreement in place with such third parties
to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures
to ensure the security of your data.
We do not share your data with bodies outside of the European Economic Area.
H) PROTECTING YOUR DATA
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction
and abuse. We have implemented processes to guard against such.
I) RETENTION PERIODS
We only keep your data for as long as we need it for, which will be at least for the duration of your therapy with
us though in some cases we will keep your data for a period after your therapy has ended. Some data retention
periods are set by the law. Retention periods can vary depending on why we need your data, as set out below:
|Record||Statutory Retention Period|
|Children/young adults client file||Until the child reaches 25 or 6 years from discharge|
|Adults client file||6 years from discharge|
|Record||Statutory Retention Period|
|CCTV at our clinic entrance||6 months|
|Credit card details taken at start of therapy||Until discharge|
|Debtor records cleared||6 years|
|Debtor records not cleared||Until cleared|
|Invoices to clients||6 years|
|Client information collected when booking appointments including enquiries||6 years|
|Complaints case file||6 years|
|Fraud case file||6 years|
|Litigation records||6 years|
|Subject access requests (SAR) and disclosure correspondence||3 years|
|Subject access requests where there has been an appeal||6 years|
|Incident/Accident forms||10 years|
J) CLIENT RIGHTS
Under data protection law you have certain rights in relation to the personal information that we hold about you.
These include rights to know what information we hold about you and how it is used. You may exercise these rights
at any time by contacting us using the details set out above at the top of the page.
There will not usually be a charge for handling a request to exercise your rights.
If we cannot comply with your request to exercise your rights we will usually tell you why.
There are some special rules about how these rights apply to health information as set out in legislation including
the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary
legislation which regulates the use of personal information.
If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then
we do not have to respond. Alternatively, we can charge for responding.
Your rights include:
The right to access your personal information
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request
electronically (eg by email) the information will be provided to you by electronic means where possible.
Please note that in some cases we may not be able to fully comply with your request, for example if your request
involves the personal data of another person and it would not be fair to that person to provide it to you.
You are entitled to the following under data protection law.
Under Article 15(1) of the GDPR we must usually confirm whether we have personal information about you. If we do
hold personal information about you we usually need to explain to you:
- The purposes for which we use your personal information
- The types of personal information we hold about you
- Who your personal information has been or will be shared with, including in particular organisations based
outside the EEA.
- If your personal information leaves the EU, how we make sure that it is protected
- Where possible, the length of time we expect to hold your personal information. If that is not possible, the
criteria we use to determine how long we hold your information for
- If the personal data we hold about you was not provided by you, details of the source of the information
- Whether we make any decisions about you solely by computer and if so details of how those decisions are made
and the impact they may have on you
- Your right to ask us to amend or delete your personal information
- Your right to ask us to restrict how your personal information is used or to object to our use of your personal
- • Your right to complain to the Information Commissioner’s Office
We also need to provide you with a copy of your personal data.
The right to rectification
We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you
do not believe this is the case, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
We may update this Privacy Notice from time to time to ensure that it remains accurate, and the most up-to-date version can always be found at https://www.unlockinglanguage.co.uk. In the event that there are any material changes
to the manner in which your personal information is to be used then we will provide you with an updated copy
of this Privacy Notice.
In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.
In particular, for example, we do not have to comply with your request if it is necessary to keep your information
in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing,
exercise or defending legal claims.
The right to restriction of processing
In some circumstances, we must “pause” our use of your personal data if you ask us to. We do not have to comply with
all requests to restrict our use of your personal information. In particular, for example, we do not have to
comply with your request if it is necessary to keep your information in order to perform tasks which are in the
public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible another individual/organisation of your choice. The information must be transferred in an electronic
The right to object to marketing
You can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the appointed compliance officer.
The right not to be subject to automatic decisions (ie decisions that are made about you by computer alone)
You have a right to not be subject to automatic decisions (ie decisions that are made about you by computer alone)
that have a legal or other significant effect on you.
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any
time. This means that we will stop processing your data.
L) MAKING A COMPLAINT
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner
(ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire
SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
M) DATA PROTECTION COMPLIANCE
Our appointed compliance officer in respect of our data protection activities is: